Falco on FICN's blog https://blog.fnicen.top/tags/falco/ Recent content in Falco on FICN's blog Hugo -- 0.139.3 en Mon, 01 Jun 2026 19:46:35 +0800 无外网环境使用helm部署Falco https://blog.fnicen.top/posts/%E6%97%A0%E5%A4%96%E7%BD%91%E7%8E%AF%E5%A2%83%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2falco/ Mon, 01 Jun 2026 19:46:35 +0800 https://blog.fnicen.top/posts/%E6%97%A0%E5%A4%96%E7%BD%91%E7%8E%AF%E5%A2%83%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2falco/ <h2 id="背景">背景</h2> <p>在K8s集群中,希望引入Falco进行统一的集群操作审计</p> <p>这就需要先安装Falco,借助<code>json</code>插件与<code>k8saudit</code>插件创建一个Webhook客户端,专用于接收API Server的操作审计数据</p> <p>当前已有<code>falco:0.44.0</code>镜像,以及一个Falco的<code>custom_values.yaml</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">driver</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enabled</span>: <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">collectors</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enabled</span>: <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">controller</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kind</span>: <span style="color:#ae81ff">deployment</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">services</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8saudit-webhook</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">NodePort</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ports</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">port</span>: <span style="color:#ae81ff">9765</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">protocol</span>: <span style="color:#ae81ff">TCP</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">falco</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">rules_files</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">/etc/falco/k8s_audit_rules.yaml</span> </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">/etc/falco/rules.d</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">plugins</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8saudit</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">library_path</span>: <span style="color:#ae81ff">/usr/share/falco/plugins/libk8saudit.so</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">init_config</span>: <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">open_params</span>: <span style="color:#e6db74">&#34;http://:9765/k8s-audit&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">json</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">library_path</span>: <span style="color:#ae81ff">/usr/share/falco/plugins/libjson.so</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">init_config</span>: <span style="color:#e6db74">&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">load_plugins</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">k8saudit</span> </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">json</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">json_output</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">json_include_output_property</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">json_include_tags_property</span>: <span style="color:#66d9ef">true</span> </span></span></code></pre></div><div class="admonition tip"> <div class="admonition-title">关于格式</div> <div class="admonition-content">values文件的格式可参考:https://raw.githubusercontent.com/falcosecurity/charts/refs/heads/master/charts/falco/values.yaml</div> </div> <p>在机器可以访问外网的情况下,执行<code>helm install falco falcosecurity/falco -n kube-audit -f custom_values.yaml</code>即可将Falco部署到集群</p> <p>但我们的集群无法访问外网,<strong>首先拉取不到Chart,其次也拉取不到<code>falcoctl</code>以及两个插件,甚至连插件的<code>index</code>文件都无法获取</strong></p> <p>因此,需要考虑离线安装Falco</p> <h2 id="手动下载chart">手动下载Chart</h2> <p>执行:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>wget https://github.com/falcosecurity/charts/releases/download/falco-9.0.0/falco-9.0.0.tgz </span></span></code></pre></div><p>即可获取<code>falco-9.0.0.tgz</code>Chart文件,如此一来,Chart的本地化解决</p> <h2 id="falcoctl离线安装">falcoctl离线安装</h2> <p>在Pod启动时,会尝试拉取<code>falcoctl</code>容器镜像,它会被自动配置为Falco Pod的一个Init Container,用于管理安全规则Rules、插件Plugins</p>